Sunday, June 1, 2014

Luhe.MalMSIL.A Found, What Does It Do and How to Remove


is Luhe.MalMSIL.A false positive?




OUTLINE
  • If Luhe.MalMSIL.A FP?
  • If Luhe.MalMSIL.A is FP, what should I do?
  • If Luhe.MalMSIL.A is not FP, what should I do?
  • Why there’s false positive?


If Luhe.MalMSIL.A False Positive?


I recently downloaded a .zip folder with a program but when I tried to extract the files from the .zip folder, my anti-virus (AVG) said that it had found a high-security risk: a file called Luhe.MalMSIL.A” – this is how many victims say to encounter Luhe.MalMSIL.A.

According to some security companies, the Trojan horse adopts multiple MD5 and drops plenty of executable files on a target machine to:
  1. Modify or block some cyber gates (CyberGate.1.18.exe).
  2. Download more ads or the vicious codes embedded in some Youtube videos (Youtube Unblocker.exe) or Facebook (Facebook Hack v.7.exe).
  3. Record in-put information (HackTrade.exe).
  4. Replace some original files (Thumb.bat.exe) to confuse the machine as well as PC users.

It is clear that the affiliate files of Luhe.MalMSIL.A are not necessarily named after the Trojan horse and most of the vicious files try to be displayed as innocent. But is it possible that Luhe.MalMSIL.A is false positive as AVG has had some trouble with Luhe.MalMSIL family. Please follow the below steps to help you identify if the detection if FP:
  1. Update your installed anti-virus program.
  2. Check if your PC performance is slowed down.
  3. See if there’s more mass on your browser.
  4. Track your CPU to see if it is unstable and if there are more unknown and suspicious processes running in the background.
  5. Pay attention to the programs you have on your machine to see if there are some unknown ones.


Way to Deal with Luhe.MalMSIL.A


Global PC Support Center has given two options for PC users to follow up.

Situation 1 - Luhe.MalMSIL.A Is False Positive

A
stop Luhe.MalMSIL.A’s false alert.

  1. Right click on “My Computer”/”Computer” to select “Property”.
  2. Browse to “Advanced ” tab for “Error Reporting”.
  3. Resolve Luhe.MalMSIL.A false positive: disable error reporting
  4. Tick “Disable error reporting” and hit Enter key will stop Luhe.MalMSIL.A false positive alert ever after.
end error report



B
add Luhe.MalMSIL.A to white list of the installed anti-virus program (take AVG for example)
.
  1. Go to AVG whitelist service.
  2. AVG window > Tools menu > "Advanced Settings.." > "PUP Exceptions" > "Add Exception" > enter the full path to the file detected.



Situation 2 - Luhe.MalMSIL.A Is Not False Positive

A
Access Task Manager to remove the items with the path directing to Luhe.MalMSIL.A according to the installed anti-virus program.
(tip: if you are not able to access Task Manager with the key combination, please access Run box from Start menu and type “CMD”; hit Enter key to put in “taskkill.exe /im msblast.exe” or “taskkill.exe /im teekids.exe” or “taskkill.exe /im penis32.exe”)

Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to  Luhe.MalMSIL.A's path(according to the threat alert) or the path that doesn't belong to system.
select Colunms to tick PID and Path Name
(tip: if some vicious processes reappear, one could find the PPID through PID functionality; please then remove the parent process(es) with the command “taskkill /im system.exe /f” through DOS window.)



B
Unveil hidden files and folders to remove the ones created by Luhe.MalMSIL.A.

Windows 7/XP/Vista - Control Panel > user accounts and family safety > Folder Options > View tab > tick ‘Show hidden files and folders’ > non-tick ‘Hide protected operating system files (Recommended)’ > OK button.

Windows 8 - Windows Explorer > View tab > tick ‘File name extensions’ and ‘Hidden items’ > OK button.

  • Access the detected path and remove all the items there.
  • Access the following folders to remove the items generated on the day when  Luhe.MalMSIL.A was firstly detected:
    (tip: if one owns Windows XP, it is suggested to execute the following steps after closing down System Restore function: right click on “My Computer”/”Computer” > Property > navigate to System Restore tab > tick “Turn off System Restore”)
turn off system restore to prevent from Luhe.MalMSIL.A's reimage
%SystemRoot%\system32\%Temp%\
%SystemDriver%\
C:\Windows
C:\Windows\System32
C:\windows\winstart.bat
C:\windows\wininit.ini
C:\windows\Autoexec.bat
C:\Users\[your username]\Documents\
C:\users\user\appdata\local\
C:\Program Files\

variable declarations
  • %SystemDriver% - the system division is "C:\" by default.          
  • %SystemRoot% - the directory of WINDOWS is known as“C:\Windows” by default.
  • %Documents and Settings% - the user's document is commonly referring to as “C:\Documents and Settings”.
  • %Temp% - it is commonly known as“C:\Documents and Settings\[current user name]\Local Settings\Temp”.
  • %ProgramFiles% - the default installation directory of system programs defaults to“C:\ProgramFiles”.


C
Access DataBase to make rectifications.

  • Press down Win key and R key together.
  • Type “regedit” and hit Enter key.
  • Navigate to the following entry to see and remove the values (C:\WINDOWS\system32\system.exe) under “Run” that you have not seen before:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • Then search for the processes detected in stepB to remove them in Database.


D
Remove cookies from browser settings.

Internet Explorer
Tools icon > Safety > “Delete browsing history” option in > tick “Cookies” > “Delete” button.

Chrome
‘Customize and control’ menu > Tools > “Clear Browsing Data” option > tick “Delete cookies … “> “Clear browsing data”.
Firefox
Tools menu > “Cookie Manager” > “Manage Stored Cookies” > remove all cookies.
Opera
Open up Opera and make it as the current browser > Alt+P key combination > Privacy and Safety > “Cookie” > click on “all cookies and website data” button.



E Remove temp files generated by Luhe.MalMSIL.A.
  1. Press Win key and R key together, you’ll get a pop-up Run box.
  2. Type “%Temp%” in the box and hit Enter key, you’ll be led to all temp files.
  3. Remove the ones that are not loaded by system.
  4. When done, return to the previous menu to click open “Temporary Internet Files”.
  5. Locate the folder ”Content.[the browser you are using]+[the version you are using] ”, for example, content.ie5.
  6. Remove all the files there (except index.dat).



Why False Positive?


Luhe.MalMSIL.A false positive can happen when the installed items contain a field with the attribute code that is identical to the virus signature anti-virus companies have in their virus reservoir. As a matter of fact, anti-virus programs are not as smart as we think they are. It is the virus signature that they replay on to catch to kill virus.

Each anti-virus company has its own virus signature files containing a large number of binary strings and correspondent virus names. Binary strings are made from the virus analysis by anti-virus company and divided into several groups according to functions/features such as disrupting system files, modifying procedure code, copying self and spreading via the Internet.

Luhe.MalMSIL.A false positive can happen when a software/item, written with EPL (Easy Programming Language) which is non-mainstreaming language, is downloaded.

Test by VilmaTech Online Support
Senior technicians have made a test for proof: we created a new blank window with EPL and compiled it statically to exe; then we scan the window with security utility.
  1. suspicious file was found for the first time.
  2. virus alert was finally released at the second time.
get expert help in removing Luhe.MalMSIL.A




No comments: